Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe
Resource
win10v2004-20241007-en
General
-
Target
03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe
-
Size
1.1MB
-
MD5
e8dbe5300af3ee3b6c45ec159ca7e638
-
SHA1
8bf80951366faa9284d017ae84706e191635f445
-
SHA256
03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add
-
SHA512
2b2dc74cbf229cc338b6a63460a4e2bfe0ec3e417eb7095287ba1344f03a20b17ecbba26262339f1a83de65bcd6ad15ab34da69c354f8ad711bf385f7ae43bf6
-
SSDEEP
24576:3ynqRV/GG4cDH31rQPo9eIarXfUB2DeRH:CnSuMDH31UPQeIEXsB2De
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diza
185.161.248.90:4125
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/4184-22-0x0000000002590000-0x00000000025AA000-memory.dmp healer behavioral1/memory/4184-24-0x00000000026D0000-0x00000000026E8000-memory.dmp healer behavioral1/memory/4184-36-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-52-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-50-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-48-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-46-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-44-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-42-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-40-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-38-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-34-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-32-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-30-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-28-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-25-0x00000000026D0000-0x00000000026E2000-memory.dmp healer behavioral1/memory/4184-26-0x00000000026D0000-0x00000000026E2000-memory.dmp healer -
Healer family
-
Processes:
pr378489.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr378489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr378489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr378489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr378489.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr378489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr378489.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2740-2204-0x0000000005760000-0x0000000005792000-memory.dmp family_redline C:\Windows\Temp\1.exe family_redline behavioral1/memory/5168-2217-0x0000000000590000-0x00000000005BE000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk284299.exe family_redline behavioral1/memory/5480-2228-0x0000000000F00000-0x0000000000F30000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
qu567557.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation qu567557.exe -
Executes dropped EXE 6 IoCs
Processes:
un361175.exeun566805.exepr378489.exequ567557.exe1.exerk284299.exepid process 1480 un361175.exe 4884 un566805.exe 4184 pr378489.exe 2740 qu567557.exe 5168 1.exe 5480 rk284299.exe -
Processes:
pr378489.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr378489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr378489.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exeun361175.exeun566805.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un361175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un566805.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 540 4184 WerFault.exe pr378489.exe 5372 2740 WerFault.exe qu567557.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pr378489.exequ567557.exe1.exerk284299.exe03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exeun361175.exeun566805.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr378489.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu567557.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rk284299.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un361175.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un566805.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pr378489.exepid process 4184 pr378489.exe 4184 pr378489.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pr378489.exequ567557.exedescription pid process Token: SeDebugPrivilege 4184 pr378489.exe Token: SeDebugPrivilege 2740 qu567557.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exeun361175.exeun566805.exequ567557.exedescription pid process target process PID 1756 wrote to memory of 1480 1756 03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe un361175.exe PID 1756 wrote to memory of 1480 1756 03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe un361175.exe PID 1756 wrote to memory of 1480 1756 03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe un361175.exe PID 1480 wrote to memory of 4884 1480 un361175.exe un566805.exe PID 1480 wrote to memory of 4884 1480 un361175.exe un566805.exe PID 1480 wrote to memory of 4884 1480 un361175.exe un566805.exe PID 4884 wrote to memory of 4184 4884 un566805.exe pr378489.exe PID 4884 wrote to memory of 4184 4884 un566805.exe pr378489.exe PID 4884 wrote to memory of 4184 4884 un566805.exe pr378489.exe PID 4884 wrote to memory of 2740 4884 un566805.exe qu567557.exe PID 4884 wrote to memory of 2740 4884 un566805.exe qu567557.exe PID 4884 wrote to memory of 2740 4884 un566805.exe qu567557.exe PID 2740 wrote to memory of 5168 2740 qu567557.exe 1.exe PID 2740 wrote to memory of 5168 2740 qu567557.exe 1.exe PID 2740 wrote to memory of 5168 2740 qu567557.exe 1.exe PID 1480 wrote to memory of 5480 1480 un361175.exe rk284299.exe PID 1480 wrote to memory of 5480 1480 un361175.exe rk284299.exe PID 1480 wrote to memory of 5480 1480 un361175.exe rk284299.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe"C:\Users\Admin\AppData\Local\Temp\03497a1a093756aba69a5961c2b96a53378267f82908501f02d697f814114add.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un361175.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un361175.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un566805.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un566805.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr378489.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr378489.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 10885⤵
- Program crash
PID:540
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu567557.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu567557.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 11645⤵
- Program crash
PID:5372
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk284299.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk284299.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5480
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4184 -ip 41841⤵PID:4564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2740 -ip 27401⤵PID:5224
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
851KB
MD52deeef694cea682c5a747d78512d5411
SHA174ab45111c8d3900035b800fe4924d8da1738443
SHA2560b34d90f323890521133ff8b517abdb10ee45572cf6b0a8495a9d65fe711bd15
SHA5129968fab6a7ec8ddb3d2fad69b7cf0e35e67107a74a08174b572ecee1373a7e9ba27136ec8ef5a27bfedcb15bd59231d67c3c3d16f9ffe4faf870391b928b2bfd
-
Filesize
168KB
MD5c52ebada00a59ec1f651a0e9fbcef2eb
SHA1e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA25635d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA5126b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2
-
Filesize
697KB
MD56e35a44d22586a1a557935770d441667
SHA178610d5672ddb9513678590ac3c16660f7e61e3b
SHA25674a089d7b97611323e815037ee3a32117107f9c663de043e9f5dd2f6c072f411
SHA512b8e4dea186d4b05c9423b1a28735841e2b370e8e2743317378d8f4104ebf056043db95beb8dc1d199f6f858ec40b91e229235fcc0ff5b53a0d59698abf5a8895
-
Filesize
403KB
MD5d6b46c7d689f936feeace8f8e7817089
SHA1ecfe9f816669a07168be203cec68e384376b51aa
SHA256d6175737cc55f7b3291ab2946f6a7b8f87c2336e0ccba3b08fddd2fc16e5986f
SHA512b31d12553b3726b1ceed55003ab9fb4461e5f5443adcc6998f34c47898b22dc72c57aa8d802f88a07dad2df6986497da71519af8725f000132e4ce8bc9da4ddb
-
Filesize
586KB
MD5e7921b5a72cf10380a49e0bd175f3739
SHA17a938329bac518edf9a1e3de46d53762cdc0ba13
SHA25651e3f794608f241c1d181bf91f31f59648646b1adf0ed07bf0c352006e285d62
SHA51295548bf698b1e77c96f08faa6d1bf7e8c72a4777ffc2bffd0d2f55455a4d98ee4e43a3dd58d71d003fa7dcdc3b0eea1baafd6d2ed2ce294c3651cd53ba45a2fa
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1